The Schrems II decision came out nearly 2 years ago, on 16 July 2020. Given the enormous data flows from the EEA and UK to the USA, and many unanswered questions after the decision, most organisations chose to wait to see what assistance European regulators came out with, and whether a successor to the Privacy Shield would be rushed out.
March 2022, they’re still waiting.
Is the relative peace about to be shattered?
Schrems II is the short name given to the 2020 decision by Europe’s top court (the CJEU), that invalidated Privacy Shield, the adequacy decision that we all relied on to legitimately transfer personal data from the EEA (effectively including the UK at the time) to the USA.
It was the sequel to 2015’s blockbuster case Schrems I, which in our innocence we used to just call Schrems.
Absolutely, and both Schrems I and Schrems II come from the same fundamental issue: transfer of personal data from the EEA to the US by Facebook.
Hey presto, on 6 October 2015, the CJEU held the Safe Harbor invalid due to US surveillance law.
There were some similarities with Schrems II:
But there were three major differences:
After Safe Harbor fell, Facebook said it relied on SCCs for transfers to the USA, so Max Schrems changed his complaint and the whole process started again:
Just for completeness, under EU Data Protection law (the 95 DPD and then GDPR) no personal data can be sent outside or accessed outside the EEA (a ‘transfer’) unless:
Safe Harbor and Privacy Shield were structures run by the US Dept of Commerce that US entities could sign up to, voluntarily accepting to abide by key EU Data Protection principles and accepting certain jurisdiction of EEA DPAs.
Privacy Shield is still live, although invalid under GDPR, with many entities still signed up in the hope that its successor will come soon and everyone can just transition.
It’s March 2022, 19 months after Schrems II. There’s still no replacement to Privacy Shield.
There’s a fair bit of reporting that we may be close. It remains to be seen how any suggested solution will pass through the required process – and whether we’ll see it challenged, perhaps even a Schrems III…
It takes time for enforcement proceedings to work through the system, but it didn’t take a month for Max Schrems’s NOYB (None of Your Business) organisation to file 101 complaints with European DPAs about the use of Google and Facebook by websites in Europe.
The first complaints were filed in early August 2020, and January 2022 saw the first national Data Protection Authority (DPA) decision, from the Austrian DSB. We’ve a great summary of the 3 decisions on the use of Google Analytics, as set out in those cases, being contrary to GDPR.
We’re 19 months after Schrems II, when the gap was only 10 months after Schrems I. The EDPB issued some Recommendations which didn’t offer much respite in practice. The risk-based approach many have high hopes for was given short shrift in the 3 GD decisions. And those first decisions aren’t really about GA, they’re about any transfer to a cloud provider in the US – indeed any US entity covered by FISA 702 and similar laws.
We decided we couldn’t wait for our vendors to move towards compliance – Schrems II compliance – so we put in place various projects to ‘Schremsify’ our tech stack. Our Schrems-compliant new datacenter is the most visible part of that, but for example, we’ve found a Schrems-compliant marketing automation solution and calendar meeting solution.
So what to do, in practice?
Or – choose a provider that is Schrems-compliant.
Do you know all your processors, or all your transfers? Keepabl’s Privacy Management Software is your out of the box Privacy Framework that leads you through the process, identifying all the loose ends, pulling it all together in instant reports and visuals.
Did you see our users believe we save between 50 and 70% of your ongoing compliance?
We were delighted to be joined in Privacy Kitchen by Chris Taylor, the UK ICO’s Head of Assurance whose team set up the ICO Sandbox, manages the ICO’s guidance and…